Cozzy Privacy Policy

Version 16 · Effective 14 June 2026

Version: 16

Last Updated: June 14, 2026

Effective: June 14, 2026

Cozzy Finance Limited ('Cozzy', 'we', 'our', or 'us'), a company registered in Ireland (CRO: 812498) with registered office at Venture Hub, 136 Capel Street, Dublin 1, D01 T2C9, Ireland, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share your personal data when you use the Cozzy mobile application and web dashboard (together, the "Service").

We operate in accordance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, the EU Artificial Intelligence Act, and Irish data protection laws as enforced by the Data Protection Commission (DPC).

---

1. Not Financial Advice

Cozzy is an educational and informational tool. We are not providing financial, investment, tax, legal, or other professional advice. Any insights, categorisations, projections, or content shown in the Service are for general information only and should not be relied upon as a substitute for advice from a qualified professional.

---

2. Age Requirements

Cozzy is intended for users aged 16 and over.

If you are under 16 you are not permitted to use the Service. By creating an account you confirm that you are at least 16 years old. If you are aged 16 or 17, we encourage you to review this Privacy Policy with a parent or guardian.

We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@cozzy.io so we can delete it. The age of digital consent in Ireland is 16 (Data Protection Act 2018, Section 31). In the United Kingdom it is 13 (UK GDPR, Article 8(1)). We apply the higher threshold of 16.

---

3. Who We Are (Data Controller)

Name: Cozzy Finance Limited
CRO Number: 812498
Registered Address: Venture Hub, 136 Capel Street, Dublin 1, D01 T2C9, Ireland
Email: support@cozzy.io

We have assessed our obligations under GDPR Article 37 and determined that a Data Protection Officer is not formally required at our current scale of operations. We review this assessment annually and maintain a documented record. Data Protection Contact: privacy@cozzy.io — for all data protection queries, data subject access requests, or complaints. Requests sent to support@cozzy.io will be forwarded to the Data Protection Contact without delay.

As Cozzy Finance Limited is established in Ireland (an EU Member State), no EU representative under GDPR Article 27 is required. For users in the United Kingdom, our UK contact point for data protection matters is privacy@cozzy.io.

---

4. Data We Collect

A. Information You Provide

Account Information: When you sign in via email, Google, or Apple, we collect your name and email address. If you sign in via Google or Apple, we may also collect your profile picture.
Customer Support: Any information you provide when you contact us for help.

B. Financial Data (via Open Banking)

To provide account aggregation and financial insights, we use Yapily Connect Limited ('Yapily'), an authorised Account Information Service Provider regulated by the UK Financial Conduct Authority (FRN 827001). When you connect a bank account, you explicitly consent to Yapily accessing your data.

Data Processed: Account numbers, balances, transaction history, account holder names, and counterparty information on incoming/outgoing transactions.
Storage: We store this data on our backend (Supabase, see §6).
Note: We do not see or store your bank login credentials.

Indirect collection (Article 14). Some personal data — in particular the names of counterparties to your transactions (payees, employers, merchants) — is collected indirectly from your bank via Yapily, rather than directly from you. We obtain this data under GDPR Article 14 on the legal bases set out in §5, and process it solely to display and categorise your account activity. Where any such third party makes a request to exercise their rights against us, we will respond in accordance with §9.

Art. 14(5)(b) — Disproportionate effort exemption. We do not separately notify counterparties whose names appear in your transactions. Taking into account the absence of any direct relationship between Cozzy and those persons, our lack of contact details for them, and the strict, ledger-display-only use of their data, individual notice would involve disproportionate effort within the meaning of GDPR Article 14(5)(b). This Privacy Policy serves as the public notice contemplated by that provision. Counterparties may exercise their data-subject rights at privacy@cozzy.io.

C. Device & Usage Data

Identifiers: Device ID, IP address. The Firebase Installation ID and Firebase Cloud Messaging (FCM) device token are created only after you opt in to a Firebase-backed feature; see §6 and the Cookie Policy.
Usage Data: How you use the Service, and crash logs and error diagnostics (a strictly-necessary security and stability measure — see §5 and §6, Sentry).
Performance data (with your consent): Where you consent to analytics, we use Firebase Performance Monitoring (see §6). Its automatic instrumentation collects app-start time, foreground/background state, and screen-rendering performance, and — through a network interceptor — traces of the HTTP/S requests the App makes, including the request URL, HTTP response code, payload size, and timing of calls to our API. We also record a small number of custom timing traces (e.g. how long an Olivia response takes). This data is transmitted to Google and is not collected unless you opt in to analytics.
Device-integrity signals: When the App detects signs that your device has been jailbroken, rooted, hooked, or attached to a debugger, those signals are transmitted to our security partner Talsec — see §6.

D. User-Generated Content (Education Hub)

If you submit comments or contributions in the in-App Education Hub, the text of your submission is processed for moderation (see §6, Google Perspective API). An inline notice at the comment box informs you that automated screening is in use, in accordance with EU AI Act Article 50(2).

---

5. Legal Basis for Processing

Consent: Connecting bank accounts (Open Banking), Firebase Analytics, Firebase Performance Monitoring, Sentry performance tracing, the optional Olivia AI assistant, and the AI Auto Categorisation feature for Expert-tier users.
Contract: Providing the Service's core features (excluding the AI features described above) and managing your subscription.
Strictly Necessary Exemption (ePrivacy): Essential client-side storage required for the Service to function, and the minimal device storage used by the crash/error-diagnostics SDK (Sentry) to detect and report faults that threaten the security or stability of the Service — Reg. 5(5) S.I. No. 336/2011 (Ireland); Reg. 6(4) PECR 2003 (UK).
Legal Obligation: Compliance with financial or tax regulations applicable to us.
Legitimate Interest (Art. 6(1)(f)): Crash and error diagnostics (Sentry EU) necessary to maintain the security, stability, and integrity of the Service; account recovery / wind-down processing in the 30 days following account closure; security and abuse-prevention audit logs; transmission of device-integrity signals via Talsec freeRASP; comment moderation; transactional email delivery; hosting; and indirect-collection counterparty data processing. A balancing test is documented in each case. You may object under Article 21 (see §9).

---

6. Third-Party Services (Data Processors and Sub-Processors)

Service Provider	Role	Purpose	Data Shared
Yapily Connect Limited (UK)	Independent controller during bank authentication; our processor (Art. 28) during account-data retrieval	Open Banking connectivity	OAuth tokens, financial account & transaction data. See Yapily Privacy Policy.
Supabase (EU)	Processor (Art. 28)	Authentication, database, storage	User ID, email, hashed credentials, OAuth tokens, session data, encrypted app data. Hosted in eu-west-1 (Ireland).
Railway (EU)	Processor (Art. 28)	Application hosting	All API request/response data in transit (TLS), pseudonymised request logs. Hosted in eu-west (Amsterdam, Netherlands).
Google Firebase — Analytics	Processor (Art. 28)	Product analytics	Pseudonymised usage events, device-level identifiers. Requires your consent. Firebase SDK is not initialised until you opt in. Operated by Google on its global infrastructure; transfers outside the EEA are covered by the Standard Contractual Clauses (and the EU-US Data Privacy Framework where Google remains certified) — see §7.
Google Firebase — Performance Monitoring	Processor (Art. 28)	App performance and network-latency diagnostics	Automatic traces (app start, foreground/background, screen rendering) and HTTP/S network-request traces — request URLs, response codes, payload sizes and timings — for calls to our API, plus custom timing traces, device model/OS, app version, and approximate location derived from IP. Operated by Google on its global infrastructure (see §7). Requires your consent (shares the analytics consent gate); not initialised until you opt in.
Sentry (Functional Software, Inc. — EU cloud)	Processor (Art. 28)	Crash and error diagnostics	Stack traces, device model, OS version, app version. User IDs are pseudonymised (one-way hash) before transmission and attached only after you sign in; `sendDefaultPii` is disabled (no IP address). Hosted at `de.sentry.io` (Frankfurt, Germany). Strictly necessary for the security and stability of the Service: the Sentry SDK initialises at startup, independently of the analytics consent gate, and is not used for advertising or profiling. Performance tracing is separate and consent-based. You may object to this processing under Article 21 (see §9).
Google Firebase — Cloud Messaging (FCM)	Processor (Art. 28)	Push notification delivery	FCM device token, notification payload. Active only when push notifications are enabled. Operated by Google on its global infrastructure; transfers outside the EEA are covered by the Standard Contractual Clauses (and the EU-US Data Privacy Framework where Google remains certified) — see §7.
Google Cloud Vertex AI (Gemini) — Olivia	Processor (Art. 28)	Optional AI assistant (consent-based, see §10)	Sanitised transaction descriptions, aggregated financial summaries. Processed in europe-west4 (Netherlands).
Google Cloud Vertex AI (Gemini) — AI Auto Categorisation	Processor (Art. 28)	AI transaction categorisation for Expert-tier users who have opted in	Sanitised merchant names and generalised transaction descriptions. Processed in europe-west4 (Netherlands).
Google Perspective API (US)	Processor (Art. 28)	Automated moderation of user comments in the Education Hub	Submitted comment text. Transferred to the United States under Standard Contractual Clauses; we additionally rely on the EU-US Data Privacy Framework where the recipient remains certified at the time of transfer. Moderation fails open.
Talsec a.s. (freeRASP) (Czech Republic / EU)	Processor (Art. 28)	Mobile runtime application self-protection (root, jailbreak, debugger, hooking framework, and emulator detection)	Threat-event metadata (device model, OS, threat type, timestamp). Talsec transmits threat events to its EU backend; high-severity events are forwarded by Talsec by email to our security team.
RevenueCat (US)	Processor (Art. 28)	Subscription management	Purchase receipts, user UUID, subscription tier. Transferred to the United States under Standard Contractual Clauses; we additionally rely on the EU-US Data Privacy Framework where the recipient remains certified at the time of transfer.
Resend (US)	Processor (Art. 28)	Transactional email delivery	Recipient email address, name, and the contents of system-generated notifications. Transferred to the United States under Standard Contractual Clauses; we additionally rely on the EU-US Data Privacy Framework where the recipient remains certified at the time of transfer.

No advertising. Cozzy does not display third-party advertising in any surface and does not integrate any advertising SDK (e.g. Google AdMob). Cozzy does not collect or use the iOS IDFA or the Android Advertising ID, and does not share data with advertising networks. We will notify you and obtain a fresh legal basis before introducing any advertising-related processing.

---

7. International Data Transfers

The Service is primarily hosted in the European Union: Supabase in eu-west-1 (Ireland), Railway in eu-west (Amsterdam, Netherlands), Vertex AI in europe-west4 (Netherlands), Sentry at de.sentry.io (Frankfurt, Germany), and Talsec in the European Union.

Sub-processors that may process data outside the EU/EEA: RevenueCat, Resend, and Google Perspective API (all in the United States); and the Google Firebase services we use — Analytics, Performance Monitoring, and Cloud Messaging (FCM) — which Google operates on its global infrastructure and which are not EU-region-pinned. The primary transfer mechanism is the Standard Contractual Clauses. Where the recipient remains certified under the EU-US Data Privacy Framework at the time of transfer, we may additionally rely on the DPF. A copy of the safeguards relied on for any transfer, including the current certification status of each US recipient, is available on request from privacy@cozzy.io.

---

8. Data Retention & Deletion

Data Category	Retention Period	Legal Basis / Justification
Account information	Duration of account	Contract performance (Art. 6(1)(b))
Account information after closure	30 days from account closure	Legitimate interest in account recovery, wind-down processing, and dispute resolution (Art. 6(1)(f))
Financial / transaction data (including AI-assigned categories)	Duration of account + 6 years	Legitimate interest in defending potential legal claims (Statute of Limitations Act 1957 s.11 (IE); Limitation Act 1980 s.5 (UK))
AI insights (Olivia responses)	Duration of account or until AI consent withdrawn	Consent (Art. 6(1)(a))
AI Auto Categorisation audit logs	90 days	Legitimate interest in service quality and debugging
AI interaction audit logs	90 days	Legitimate interest in security auditing and abuse prevention
AI security event logs	365 days	Legitimate interest in fraud prevention and incident investigation
Vertex AI abuse monitoring data (Google)	Up to 55 days	Managed by Google under the Cloud Data Processing Addendum. Data is PII-scrubbed before transmission.
Comment moderation (Perspective API requests)	Not retained by Cozzy beyond the moderation decision; Google retention governed by Google's policies	Legitimate interest in safety of user-generated content
Talsec threat events	Retained on Talsec's EU backend per Talsec's policy; high-severity events also surfaced in our security inbox and retained per §Support correspondence	Legitimate interest in fraud prevention and platform integrity
Analytics data	14 months	Firebase Analytics default; data minimisation (Art. 5(1)(e))
Performance monitoring traces	90 days	Firebase Performance Monitoring default; data minimisation (Art. 5(1)(e))
Crash logs and error events	90 days	Legitimate interest in service security and stability (Art. 6(1)(f)); data minimisation (Art. 5(1)(e))
Cookie / consent records	6 months (then renewal prompt)	DPC guidance on consent renewal cycles
Support correspondence	2 years from resolution	Customer service and dispute resolution

Deletion: You can delete your account and all associated data immediately via Settings > Delete Account.
Effect of Deletion: We delete your data from Supabase, revoke bank access tokens, anonymise audit logs, and delete all AI-generated insights and history.
AI Consent Withdrawal: When you disable Olivia, we immediately delete your stored AI insight history and cached responses. When you switch the AI Auto Categorisation toggle off, no further AI categorisation is performed; previously assigned categories remain attached to your transactions (you can overwrite or clear them manually).

Data Breach Notification. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34, and the DPC within 72 hours where required under Article 33.

---

9. Your Rights

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, to withdraw consent at any time, and to lodge a complaint with a supervisory authority (Art. 77) — see §14. Where we rely on legitimate interest (including crash and error diagnostics), you have the right to object under Article 21.

To exercise these rights, please contact us at privacy@cozzy.io. We will normally verify your identity by replying to the registered email on your account. We will respond without undue delay and within one month of receipt. For complex or high-volume requests we may extend by a further two months, in which case we will tell you within the first month. Requests are handled free of charge except where they are manifestly unfounded or excessive (Art. 12(5)).

---

10. Automated Decision-Making, Profiling, and AI

10.1 Overview

Cozzy uses artificial intelligence in two distinct, opt-in flows:

1. Olivia AI Assistant — optional, consent-based, default OFF. Available across paid tiers.

2. AI Auto Categorisation — Expert-tier subscription feature, default OFF. Controlled by the "Auto Categorisation" toggle under Settings > Preferences. On first upgrade to Expert you are shown a one-time prompt asking whether to enable the feature; the legal basis is your explicit consent (Art. 6(1)(a)). Switching the toggle off stops further AI categorisation immediately.

Free and Beginner-tier users do not have access to AI Auto Categorisation; no transaction data is sent to Vertex AI for categorisation purposes for users on those tiers.

Both features run on Google Gemini via Google Cloud Vertex AI in europe-west4 (Netherlands).

10.2 No Automated Decisions with Legal Effect

These AI features are advisory and informational only. They do not produce legal effects or similarly significant effects on you within the meaning of GDPR Article 22(1). You may override any AI-generated categorisation at any time, and you retain the right to obtain human intervention, express your point of view, and contest any AI output by contacting privacy@cozzy.io.

10.3 What Data Is Processed by AI

Before any data is sent to the AI model, we apply automated heuristic filters designed to remove personal identifiers (account numbers, IBANs, sort codes, email addresses, phone numbers, personal names, card numbers, transaction reference numbers) from transaction descriptions. These filters are the operative safeguard under our DPIA: their effectiveness is reviewed periodically and they constitute the legal basis on which we conclude that the data sent to the model is not, in practice, personal data save for residual leakage.

Special-category data (Art. 9). We apply additional filters intended to suppress transaction descriptions that may reveal health information (e.g. medical providers), religious affiliation, political opinions, or trade union membership. We acknowledge no automated filter is perfect. Where Article 9 data is nonetheless processed, we rely on your explicit consent under Article 9(2)(a), given at the granular AI feature opt-in. When you opt in to Olivia or to AI Auto Categorisation, you are asked to confirm that you understand the small residual risk of special-category data being inferred from your transaction descriptions, and that you consent to that processing.

Only sanitised merchant names, generalised transaction descriptions (capped at 80 characters), and aggregated financial summaries are sent. No raw bank data is sent.

10.4 Your Control Over AI Features

Olivia (default OFF): Toggle under Settings > Preferences > AI Features > AI Insights. Disabling Olivia immediately deletes your stored insight history and cached responses.
AI Auto Categorisation (Expert tier only, default OFF): Toggle under Settings > Preferences > Auto Categorisation. Available only when your subscription tier is Expert. Switching the toggle off stops further AI categorisation immediately.

10.5 EU AI Act Transparency (Article 50)

Olivia output is labelled "AI-powered by Gemini" at the point of display.
Transactions categorised by AI display an "AI" indicator distinguishing them from manually categorised or rule-based results.
The Education Hub comment box carries an inline notice ("Comments are screened by an automated classifier.") so that you are informed at the point of interaction that an AI moderation system is in use (Art. 50(2)).
Outputs may occasionally contain inaccuracies. Verify important financial information against your official bank statements.
You have the right to request human review of any automated output by contacting privacy@cozzy.io.

10.6 Profiling

Cozzy analyses your financial data to identify spending patterns, trends, and categories. This constitutes profiling within the meaning of GDPR Article 4(4).

Article 22 status. Profiling outputs are displayed to you as informational insights only. They do not constitute a decision based solely on automated processing within the meaning of Article 22(1): they do not restrict your access to any feature, affect your subscription tier, influence credit decisions, or produce any legal or similarly significant effects. Any action — such as adjusting a budget or moving money — is taken by you, not by the Service. Profiling outputs are not shared with third parties for marketing, advertising, or credit-scoring purposes. You can disable AI-powered profiling at any time via Settings > Preferences > AI Features.

10.7 Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) covering our AI processing and Open Banking data aggregation operations, in accordance with GDPR Article 35. A summary is available on request from privacy@cozzy.io.

---

11. Cookie Policy

See our standalone Cookie Policy. In summary, the Service uses (a) essential client-side storage; (b) analytics (Firebase Analytics) and performance monitoring (Firebase Performance Monitoring), both of which require your explicit consent and are not initialised on your device until you accept — performance monitoring additionally shares the request URLs of calls to our API with Google; crash and error diagnostics (Sentry EU), which are strictly necessary for the security and stability of the Service and initialise at startup with `sendDefaultPii` disabled and no advertising use; and (c) push-notification tokens (FCM) where you have enabled notifications. Our web surfaces use only essential / functional cookies (session-only theme; post-form-submission waitlist confirmation with 365-day retention) and therefore do not display a consent banner.

---

12. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including encryption at rest and in transit (TLS 1.2+), row-level security on all database tables, automated PII scrubbing before external AI processing, rate limiting on all API endpoints, mobile app integrity verification via Talsec freeRASP (detection runs locally on your device; threat-event metadata is transmitted to Talsec's EU backend), and access controls based on the principle of least privilege. Bank consent tokens are encrypted with AES-256-GCM at rest.

---

13. Version History

v16 (June 2026): Firebase Performance Monitoring disclosed as a consent-gated sub-processor (shares the Firebase Analytics consent gate). Its automatic instrumentation captures app-start/screen-render traces and HTTP/S network-request traces — including request URLs, response codes, payload sizes and timings — which are transmitted to Google; disclosed in §4C (Device & Usage Data), §5 (consent list), §6 (sub-processor table), §7 (international transfers — Google global infrastructure, SCC/DPF), and §8 (retention, 90 days). §6 and §7 also now state explicitly that the existing Firebase Analytics and Cloud Messaging (FCM) services are operated by Google on global infrastructure and that any non-EEA transfer relies on the SCCs (and DPF where certified). Sentry posture unchanged.
v15 (June 2026): Crash and error diagnostics (Sentry EU) reclassified as strictly necessary for service security and stability (ePrivacy Art. 5(3) exemption) and processed under legitimate interest (Art. 6(1)(f)), no longer consent-gated. The Sentry SDK now initialises at startup to capture cold-start and onboarding crashes; `sendDefaultPii` disabled, no IP address, user ID pseudonymised and attached only after sign-in. Article 21 objection right added to §9. Sentry performance tracing remains consent-based. Firebase Analytics consent unchanged.
v14 (June 2026): Replaced Firebase Crashlytics with Sentry EU (Functional Software, Inc., `de.sentry.io`, Frankfurt, Germany) for crash and error reporting. User IDs pseudonymised before transmission; `sendDefaultPii` disabled. Crashlytics removed from consent list, sub-processor table, cookie summary, and retention schedule.
v13 (May 2026): Art. 14(5)(b) disproportionate-effort exemption added to §4 indirect-collection notice, naming the safeguards relied on; cookie-policy summary in §11 updated to reflect 365-day waitlist retention and removal of the email cookie.
v12 (May 2026): Talsec/freeRASP corrected to processor (threat events are transmitted to Talsec's EU backend, not on-device-only); Firebase SDK deferral implemented in code, with policy text updated to match; DPF references qualified; Article 9 special-category framing tightened (heuristics as operative safeguard, fresh explicit-consent confirmation at opt-in for residual leakage); account-info retention split into in-account (contract) and 30-day post-closure (legitimate interest).
v11 (May 2026): Auto Categorisation reframed as explicit opt-in (default OFF); Art. 14 indirect-collection notice; freeRASP named; profiling clarification; no-advertising disclosure.
v10 (May 2026): Sentry removed; Perspective API + FCM added; AI Transaction Categorisation framed as Expert-tier toggle; Supabase + Railway regions pinned.
v9 (April 2026): Registered legal entity; Yapily controller/processor split; Crashlytics essential justification; Data Protection Contact; UK contact point.
v8 (April 2026): Named Yapily; added Railway, Resend; Vertex AI retention; DPIA; security measures section.
v7 (March 2026): AI transparency — Vertex AI disclosed, EU AI Act Article 50 compliance.

---

14. Contact Us

Email: privacy@cozzy.io
Support: support@cozzy.io
Address: Venture Hub, 136 Capel Street, Dublin 1, D01 T2C9, Ireland

You also have the right to lodge a complaint with the Irish Data Protection Commission:

Website: dataprotection.ie
Email: info@dataprotection.ie
Postal: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

If you are based in the United Kingdom, you may also contact the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113